Facebook, Twitter privacy breach leaks out user data to third-party developers

Facebook and Twitter users' data was allegedly compromised due to an alleged bug in Google Play Store. Reports say that personal data of hundreds of Facebook and Twitter users may have been improperly accessed by developers due to a bug present in Google Play Store. As per reports, developers were able to access data of Facebook and Twitter users after their accounts were used for signing into Google Play Store apps on Android handsets.

Here's what happened

It is learnt that exposure of users' data took place through a bug in the third-party SDK, which Facebook and Twitter have had no direct control over. Third-party cybersecurity researchers reached out to both Facebook and Twitter to notify them about the vulnerability. We are awaiting more details on whether iOS users were also affected.

Security Researchers discovered a third-party software development kit (SDK) by the name of 'One Audience' granted third-party developers access to users' personal data. User data such as usernames and email addresses were exposed to third-party developers.

Both Facebook and Twitter allow their users to log into several apps through logging into their Facebook and Twitter accounts, respectively. However, an app store bug in one of the third-party SDKs caused the data breach. Shockingly enough, upon using a Twitter account to log into third-party apps installed through Google Play Store on Android devices, their most recent tweets were also accessible to developers.

Users of photo editing apps like Photofy and Giant Square may have been affected. Commenting on the issue, Facebook's spokesperson had this to say:

"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts."

Twitter also clarified that the issue was not due to vulnerability in Twitter's software. This is what Twitter had to say:

"This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK. While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.

Meanwhile, Twitter has also informed Google and Apple about the malicious SDK to take further action.